MySQL5.6 如何部署 TLS方法
发表于:2025-01-22 作者:千家信息网编辑
千家信息网最后更新 2025年01月22日,本文主要给大家介绍 MySQL5.6 如何部署 TLS方法,其所涉及的东西,从理论知识来获悉,有很多书籍、文献可供大家参考,从现实意义角度出发,累计多年的实践经验可分享给大家。注:省略MySQL5.6
千家信息网最后更新 2025年01月22日MySQL5.6 如何部署 TLS方法
本文主要给大家介绍 MySQL5.6 如何部署 TLS方法,其所涉及的东西,从理论知识来获悉,有很多书籍、文献可供大家参考,从现实意义角度出发,累计多年的实践经验可分享给大家。
注:省略MySQL5.6的安装过程
[root@localhost ~]# mysql -uroot -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2Server version: 5.6.40 Source distributionCopyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show variables like 'version%'; +-------------------------+---------------------+| Variable_name | Value |+-------------------------+---------------------+| version | 5.6.40 || version_comment | Source distribution || version_compile_machine | x86_64 || version_compile_os | Linux |+-------------------------+---------------------+4 rows in set (0.01 sec)# 创建新用户mysql> create user tlstest@'%' identified by '123456'; Query OK, 0 rows affected (0.00 sec)mysql> select host,user,ssl_type,password from user; +-----------+--------+----------+-------------------------------------------+| host | user | ssl_type | password |+-----------+--------+----------+-------------------------------------------+| localhost | root | | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 || % | tlstest | | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |+-----------+--------+----------+-------------------------------------------+2 rows in set (0.00 sec)mysql> create database tlsdb;Query OK, 1 row affected (0.00 sec)mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || mysql || performance_schema || test || tlsdb |+--------------------+5 rows in set (0.01 sec)# 授权某个用户访问某个数据库mysql> grant all privileges on tlsdb.* to tlstest@'%';Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> show grants for tlstest@'%';+--------------------------------------------------------------------------------------------------------------------+| Grants for tlstest@% |+--------------------------------------------------------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'tlstest'@'%' IDENTIFIED BY PASSWORD '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9' REQUIRE SSL || GRANT ALL PRIVILEGES ON `tlsdb`.* TO 'tlstest'@'%' |+--------------------------------------------------------------------------------------------------------------------+2 rows in set (0.00 sec)# 测试未加密传输[root@localhost ~]# tcpdump -l -i lo -w - src or dst port 3306 | stringstcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes4~ @43x@4~!@[{4,[{5,5.6.40U@"(AOHZm8i,=0v&WabJmysql_native_passwordrootmysql_native_passwordLinux_client_namelibmysql_pid1788_client_version5.6.40 _platformx86_64program_namemysqlselect @@version_comment limit 1@@version_commentSource distributionshow databasesinformation_schemaSCHEMATASCHEMATADatabaseSCHEMA_NAMEinformation_schemamysqlperformance_schematesttlsdbmysql> grant all privileges on tlsdb.* to tlstest@'%' require ssl;Query OK, 0 rows affected (0.00 sec)mysql> select host,user,ssl_type from user;+-----------+---------+----------+| host | user | ssl_type |+-----------+---------+----------+| localhost | root | || % | tlstest | ANY |+-----------+---------+----------+2 rows in set (0.01 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> \s--------------mysql Ver 14.14 Distrib 5.6.40, for Linux (x86_64) using EditLine wrapperConnection id: 6Current database:Current user: root@localhostSSL: Not in useCurrent pager: stdoutUsing outfile: ''Using delimiter: ;Server version: 5.6.40 Source distributionProtocol version: 10Connection: Localhost via UNIX socketServer characterset: utf8Db characterset: utf8Client characterset: utf8Conn. characterset: utf8UNIX socket: /project/mysql5.6/tmp/mysql.sockUptime: 1 day 16 hours 2 min 4 secThreads: 1 Questions: 76 Slow queries: 0 Opens: 87 Flush tables: 1 Open tables: 80 Queries per second avg: 0.000--------------# 查看TLS配置和状态mysql> show variables like '%ssl%';+---------------+----------+| Variable_name | Value |+---------------+----------+| have_openssl | DISABLED || have_ssl | DISABLED || ssl_ca | || ssl_capath | || ssl_cert | || ssl_cipher | || ssl_crl | || ssl_crlpath | || ssl_key | |+---------------+----------+9 rows in set (0.00 sec)# ssl_type 是描述TLS连接的模式(类型)# ANY 是不需要客户端证书,需要验证服务器端证书(和使用浏览器访问https站点一样)。# X509 是需要客户端证书。# SPECIFIED 是指定特定的issuer,,subject ,ssl_cipher ,也可以是三者的组合。# '' 是默认的空。[root@localhost ~]# mkdir /project/mysql5.6/certs[root@localhost ~]# cd /project/mysql5.6/certs/[root@localhost mysql5.6]# chown -R mysql.mysql certs/[root@localhost certs]# openssl genrsa -out mysql_ca_rsa.key 2048Generating RSA private key, 2048 bit long modulus..+++....................................................................................................................................+++e is 65537 (0x10001)[root@localhost certs]# openssl req -new -x509 -key mysql_ca_rsa.key -days 730 -sha256 -out mysql_ca.crt -subj /C=CN/ST=BeiJing/L=BeiJing/O=mysqlDB/OU=mysql/CN=mysql_CA/emailAddress=mysqladmin@test.com[root@localhost certs]# openssl genrsa -out mysql_rsa.key 2048Generating RSA private key, 2048 bit long modulus...........................................+++....................................................................+++e is 65537 (0x10001)[root@localhost certs]# openssl req -new -key mysql_rsa.key -days 365 -out mysql_server.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=mysqlDB/OU=mysql/CN=mysql_server/emailAddress=mysqladmin@test.com[root@localhost certs]# ll总用量 16-rw-r--r--. 1 mysql mysql 1415 12月 18 14:44 mysql_ca.crt-rw-r--r--. 1 mysql mysql 1679 12月 18 14:43 mysql_ca_rsa.key-rw-r--r--. 1 mysql mysql 1675 12月 18 14:45 mysql_rsa.key-rw-r--r--. 1 mysql mysql 1058 12月 18 14:45 mysql_server.csr[root@localhost certs]# openssl x509 -req -sha256 -days 365 -CA mysql_ca.crt -CAkey mysql_ca_rsa.key -CAcreateserial -in mysql_server.csr -out mysql_server.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=mysqlDB/OU=mysql/CN=mysql_server/emailAddress=mysqladmin@test.comGetting CA Private Key[root@localhost certs]# vim ../my.cnf[mysqld]ssl_ca= /project/mysql5.6/certs/mysql_ca.crtssl_cert= /project/mysql5.6/certs/mysql_server.crtssl_key= /project/mysql5.6/certs/mysql_rsa.keyssl_cipher= DHE-RSA-AES256-SHA[root@localhost certs]# /etc/init.d/mysqld restartShutting down MySQL... SUCCESS! Starting MySQL... SUCCESS! [root@localhost ~]# mysql -u tlstest --ssl-ca=/project/mysql5.6/certs/mysql_ca.crt --ssl=1 -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 8Server version: 5.6.40 Source distributionCopyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> \s--------------mysql Ver 14.14 Distrib 5.6.40, for Linux (x86_64) using EditLine wrapperConnection id: 8Current database:Current user: tlstest@localhostSSL: Cipher in use is DHE-RSA-AES256-SHACurrent pager: stdoutUsing outfile: ''Using delimiter: ;Server version: 5.6.40 Source distributionProtocol version: 10Connection: Localhost via UNIX socketServer characterset: utf8Db characterset: utf8Client characterset: utf8Conn. characterset: utf8UNIX socket: /project/mysql5.6/tmp/mysql.sockUptime: 19 min 26 secThreads: 2 Questions: 115 Slow queries: 0 Opens: 87 Flush tables: 1 Open tables: 80 Queries per second avg: 0.098--------------mysql> show variables like '%ssl%'; +---------------+------------------------------------------+| Variable_name | Value |+---------------+------------------------------------------+| have_openssl | YES || have_ssl | YES || ssl_ca | /project/mysql5.6/certs/mysql_ca.crt || ssl_capath | || ssl_cert | /project/mysql5.6/certs/mysql_server.crt || ssl_cipher | DHE-RSA-AES256-SHA || ssl_crl | || ssl_crlpath | || ssl_key | /project/mysql5.6/certs/mysql_rsa.key |+---------------+------------------------------------------+9 rows in set (0.00 sec)mysql> show variables like '%public%'; +---------------------------------+----------------+| Variable_name | Value |+---------------------------------+----------------+| sha256_password_public_key_path | public_key.pem |+---------------------------------+----------------+1 row in set (0.00 sec)# 抓包测试[root@localhost ~]# mysql -u tlstest -h 127.0.0.1 -P 3306 --ssl-ca=/project/mysql5.6/certs/mysql_ca.crt --ssl=1 -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 9Server version: 5.6.40 Source distributionCopyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;+--------------------+| Database |+--------------------+| information_schema || test || tlsdb |+--------------------+3 rows in set (2.80 sec)[root@localhost ~]# tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes5.6.40\H1ZU{-hFeL))2_hka$0mysql_native_passwordSJY8DBeiJing1BeiJing1mysqlDB1mysql1mysql_CA1"0 mysqladmin@test.com0181218064627Z191218064627Z0BeiJing1BeiJing1mysqlDB1mysql1mysql_server1"0 mysqladmin@test.com07RX$zQ##tgi9b}v}q`so{.R !3>Y9N_.7NfCBeiJing1BeiJing1mysqlDB1mysql1mysql_CA1"0 mysqladmin@test.com0181218064406Z201217064406Z0BeiJing1BeiJing1mysqlDB1mysql1mysql_CA1"0 mysqladmin@test.com0CU/5J)?J6/J!Cy |!Lu!A{EA_KBTIP|iP0N0"7A-"7A-KU..k-U95a6XfvNa7W\m?WUBlqzw:.`Z9SGnW5X}?Yg}d}wlaDufIlV0hC+,WR2IE[rjrI)5{.t* G^EN81(.Hyz5=?~nNr@l< O_eiq(%K2R#-8DE:#?MOZBI)ua":n+S1JZlFP*Z*4[root@localhost ~]# tshark -ni lo -R "tcp.dstport eq 3306"tshark: -R without -2 is deprecated. For single-pass filtering use -Y.Running as user "root" and group "root". This could be dangerous.Capturing on 'Loopback' 1 0.000000000 127.0.0.1 -> 127.0.0.1 TCP 74 43154 > 3306 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=8184814 TSecr=0 WS=128 3 0.000092859 127.0.0.1 -> 127.0.0.1 TCP 66 43154 > 3306 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=8184814 TSecr=8184814 5 0.000434952 127.0.0.1 -> 127.0.0.1 TCP 66 43154 > 3306 [ACK] Seq=1 Ack=79 Win=43776 Len=0 TSval=8184814 TSecr=8184814 6 0.000604778 127.0.0.1 -> 127.0.0.1 MySQL 102 Login Request user= 8 0.003121269 127.0.0.1 -> 127.0.0.1 TCP 247 [TCP segment of a reassembled PDU] 11 0.017109037 127.0.0.1 -> 127.0.0.1 TCP 66 43154 > 3306 [ACK] Seq=218 Ack=2894 Win=174720 Len=0 TSval=8184831 TSecr=8184820 12 0.025592782 127.0.0.1 -> 127.0.0.1 TCP 404 [TCP segment of a reassembled PDU] 14 0.029730886 127.0.0.1 -> 127.0.0.1 TCP 332 [TCP segment of a reassembled PDU] 16 0.030049352 127.0.0.1 -> 127.0.0.1 TCP 172 [TCP segment of a reassembled PDU] 18 0.071404170 127.0.0.1 -> 127.0.0.1 TCP 66 43154 > 3306 [ACK] Seq=928 Ack=3356 Win=185984 Len=0 TSval=8184885 TSecr=8184844 19 11.507220009 127.0.0.1 -> 127.0.0.1 TCP 156 [TCP segment of a reassembled PDU] 21 11.507794338 127.0.0.1 -> 127.0.0.1 TCP 66 43154 > 3306 [ACK] Seq=1018 Ack=3574 Win=191616 Len=0 TSval=8196321 TSecr=8196321MySQL5.6 只能支持TLSv1 ,不能支持更高版本的TLS协议;
[root@localhost certs]# openssl genrsa -out client01.key 2048Generating RSA private key, 2048 bit long modulus............+++................+++e is 65537 (0x10001)[root@localhost certs]# openssl req -new -key client01.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=mysqlDB/OU=mysql/CN=mysql_cli01/emailAddress=mysqladmin@test.com[root@localhost certs]# openssl x509 -req -sha256 -days 365 -CA mysql_ca.crt -CAkey mysql_ca_rsa.key -CAcreateserial -in client01.csr -out client01.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=mysqlDB/OU=mysql/CN=mysql_cli01/emailAddress=mysqladmin@test.comGetting CA Private Key[root@localhost certs]# ll总用量 36-rw-r--r--. 1 mysql mysql 1302 12月 18 15:55 client01.crt-rw-r--r--. 1 mysql mysql 1058 12月 18 15:54 client01.csr-rw-r--r--. 1 mysql mysql 1679 12月 18 15:54 client01.key-rw-r--r--. 1 mysql mysql 1415 12月 18 14:44 mysql_ca.crt-rw-r--r--. 1 mysql mysql 1679 12月 18 14:43 mysql_ca_rsa.key-rw-r--r--. 1 mysql mysql 17 12月 18 15:55 mysql_ca.srl-rw-r--r--. 1 mysql mysql 1675 12月 18 14:45 mysql_rsa.key-rw-r--r--. 1 mysql mysql 1306 12月 18 14:46 mysql_server.crt-rw-r--r--. 1 mysql mysql 1058 12月 18 14:45 mysql_server.csr[root@localhost ~]# mysql -u tlstest --ssl-ca=/project/mysql5.6/certs/mysql_ca.crt --ssl=1 --ssl-cert=/project/mysql5.6/certs/client01.crt --ssl-key=/project/mysql5.6/certs/client01.key -pEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 28Server version: 5.6.40 Source distributionCopyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>
看了以上 MySQL5.6 如何部署 TLS方法介绍,希望能给大家在实际运用中带来一定的帮助。本文由于篇幅有限,难免会有不足和需要补充的地方,大家可以继续关注行业资讯板块,会定期给大家更新行业新闻和知识,如有需要更加专业的解答,可在官网联系我们的24小时售前售后,随时帮您解答问题的。
证书
方法
客户
客户端
用户
用量
知识
行业
支持
测试
解答
专业
东西
书籍
可在
地方
多年
实际
小时
意义
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
连接u8数据库服务器失败
腾讯未来互联网科技城
我的世界手机版逃离服务器
国家网络安全等级保护三级要求
智能电表测试软件开发
天津善邦软件开发了哪些软件
服务器 托管费
专升本关系数据数据库题目
政法网络安全与执法专业
主持网络安全的结束语
数据库锁定和异常
数据库sql添加检查约束
软件开发平台有什么
传奇装备数据库
网络技术基础护肤顺序
传进数据库的数据变成乱码
服务器管理口日志获取
国内图片数据库有哪些
免费服务器和收费服务器
dnf服务器出现错误
网页版传奇服务器端
网络安全及用户隐私风险
微软公司网络安全部门
服务器被攻击会怎么样
朝阳区定制软件开发操作
网络安全有什么影响
杭州易传识网络技术有限公司
网络技术开发实训报告
网络技术主要干啥
广告视频软件开发
